A healthcare data breach is not a hypothetical scenario — it is a when, not an if, for organisations managing large volumes of electronic protected health information. The question that separates organisations that recover well from those that face prolonged disruption, regulatory penalty, and reputational damage is whether they have planned their response before the breach occurs. This guide covers what to do at each stage of a healthcare data breach, from the moment of discovery through recovery and regulatory resolution.
HIPAA Breach Notification Requirements
Before covering response steps, it is important to understand the regulatory framework that governs how healthcare organisations must respond to a breach of ePHI.
Under the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D), a breach is defined as the acquisition, access, use, or disclosure of unsecured ePHI that is not permitted under the Privacy Rule. There is a presumption that any such impermissible access constitutes a breach unless the covered entity can demonstrate a low probability that the information was compromised — assessed against four factors: the nature of the information, the recipient, whether ePHI was actually acquired or viewed, and the extent to which risk has been mitigated.
The 60-day rule. Covered entities must notify affected individuals, the Secretary of HHS (via the OCR breach portal), and in some cases the media, no later than 60 calendar days from the date the breach is discovered. This clock starts on the date the organisation first knew or reasonably should have known about the breach — not the date investigation is complete.
Individual notification must be provided to each affected patient and must describe the breach, what ePHI was involved, what steps individuals should take, what the organisation is doing, and who to contact.
HHS notification. For breaches affecting 500 or more individuals, OCR must be notified within 60 days. For smaller breaches, notification can be aggregated in an annual log submitted to OCR by 1 March of the following year.
Media notification. For breaches affecting 500 or more residents of a state or jurisdiction, prominent media notice is required in addition to individual notification.
Business associates that discover a breach must notify the covered entity within 60 days of discovery, enabling the covered entity to meet its own notification obligations.
Immediate Response Steps
The first hours after discovering a potential breach are the most consequential. Speed, coordination, and careful documentation all matter.
Step 1: Contain the Incident
The immediate priority is preventing further exposure of ePHI. This may mean isolating compromised systems from the network, disabling compromised user accounts, revoking credentials, or blocking malicious IP addresses. Containment actions should be logged in detail — what was done, by whom, and at what time — to support the subsequent investigation and regulatory response.
Containment must be balanced against evidence preservation. Systems should not be rebuilt or wiped until forensic evidence has been captured.
Step 2: Activate the Incident Response Team
The response team should include IT security, clinical informatics or CMIO (given potential patient safety implications), legal counsel, compliance/HIPAA privacy officer, communications or public relations, and senior executive leadership. External forensic investigators and legal specialists in healthcare regulatory matters should be engaged immediately if not already retained.
Clear roles, a command structure, and a dedicated communication channel for the response team are essential. Document all decisions and actions taken.
Step 3: Assess the Scope
Before notifications can be made, the organisation must understand what happened. Initial assessment should answer: what systems were affected, what ePHI was potentially accessed or exfiltrated, how many individuals are involved, and when the breach began.
This assessment will evolve as investigation progresses, but an initial scope assessment drives early decisions about the scale of the response and the urgency of notification.
Forensic Investigation
A credible forensic investigation serves multiple purposes: it establishes the facts for regulatory notification, it identifies what data was actually accessed (rather than just what was exposed), it uncovers the root cause, and it provides evidence if law enforcement involvement or litigation follows.
Forensic work should be performed by qualified specialists who can preserve chain-of-custody evidence, analyse system logs, memory, and network captures, and produce a report that is defensible in regulatory proceedings. Legal counsel should manage the engagement so that work product benefits from legal privilege considerations.
The investigation should identify the initial access vector, the timeline of attacker activity, all systems accessed, any evidence of data exfiltration, and the full population of affected records. This is technically demanding work — log retention gaps, encrypted traffic, and attacker anti-forensics measures all complicate the analysis.
Regulatory Notifications
Once the scope of the breach is understood sufficiently to notify, work should begin on the required notifications. Legal counsel experienced in HIPAA enforcement should review all notification content and timing decisions.
OCR notifications are submitted through the HHS breach portal. OCR may open an investigation following notification, particularly for larger breaches. Organisations should be prepared to provide documentation of their HIPAA compliance programme, prior risk analyses, policies and procedures, and the investigation findings.
Many US states have their own data breach notification laws that apply in addition to HIPAA, often with different timelines or requirements. Organisations with patients in multiple states, or those that also hold non-health personal data, should assess state law obligations in parallel.
Patient Communication
Patient notification is both a regulatory obligation and a reputational matter. Communications should be clear, direct, and accurate. They should explain in plain language what happened, what information was involved, what risks patients face, and what concrete steps patients can take to protect themselves (such as monitoring their health insurance statements for fraudulent claims or placing a credit freeze).
Providing access to credit monitoring services is common practice following breaches that involve identifying information, though it is not required by HIPAA. A dedicated helpline staffed with knowledgeable staff is advisable for larger breaches.
Legal Considerations
Breaches involving ePHI frequently generate civil litigation from affected patients, particularly where the breach was large or the data was misused. Legal counsel should be involved from the earliest stages of the response to ensure that communications, documentation, and public statements are managed appropriately.
Law enforcement notification — to the FBI, Secret Service, or local cybercrime units — is advisable in ransomware cases and cases involving suspected criminal access. Law enforcement engagement does not delay regulatory notification obligations but can provide support during recovery and may be relevant to any subsequent prosecution.
Post-Breach Remediation
The breach response is not complete when notifications are sent. The organisation must address the root cause vulnerabilities that enabled the breach, validate that the attacker's access has been fully removed, and implement improvements to prevent recurrence.
Remediation should be prioritised by risk and tracked formally. OCR may require evidence of completed remediation as part of any investigation.
Lessons Learned
A structured lessons-learned review, conducted after the immediate crisis has passed, converts the breach experience into organisational learning. The review should examine what controls failed, whether the breach would have been detected sooner under different monitoring arrangements, whether the response plan worked as intended, and what changes to policy, technology, or training would reduce the likelihood or impact of a future incident.
This review should feed directly back into the HIPAA risk management programme and be documented.
FZ Consulting LLP supports healthcare organisations through data breach response, including investigation support, regulatory notification guidance, and post-breach remediation. Reach out to our team to discuss breach response planning and readiness.